Ako
Ako or MedusaReborn is a ransomware that runs on Microsoft Windows. It uses code from MedusaLocker. It is aimed at English-speaking users. Ako was discovered yesterday when a victim posted in the BleepingComputer support forums about a new ransomware that had encrypted both their Windows 10 desktop and their Windows SBS 2011 server. According to Kremez, who performed the analysis of the ransomware, Ako shares some similarities to MedusaLocker that has led people to call it MedusaReborn. Payload Transmission Ako is distributed through malicious spam attachments that pretend to be a requested agreement. These emails pretend to contain an agreement requested by the recipient and use mail subjects such as "Agreement 2020 #1775505". Attached to these emails is a password-protected zip file named agreement.zip with the password '2020' being given in the email. The extracted archive will contain an executable renamed as agreement.scr that when executed will install the ransomware. Infection When started, Ako will first execute the following commands to delete shadow volume copies, clear recent backups, and disable the Windows recovery environment: vssadmin.exe Delete Shadows /All /Quiet bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures wbadmin DELETE SYSTEMSTATEBACKUP wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest wmic.exe SHADOWCOPY /nointeractive It will also create the Registry value EnableLinkedConnections under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry key and set it to 1. This is done to make sure mapped drives are accessible even in a UAC launched process. The ransomware will now begin to encrypt files on the device. When encrypting files, Ako will encrypt all files that do not match the ".exe,. dll, .sys, .ini, .lnk, .key, .rdp" extensions and whose paths do not contain the following strings: Folder Blacklist: $,AppData Program Files Program Files (x86) AppData boot PerfLogs ProgramData Google Intel Microsoft Application Data Tor Browser Windows When a file is encrypted, it will be renamed to and a randomly generated extension will be appended to the file name. For example, 1.doc would be encrypted and renamed to 1.doc.Ci3Qn3. Appended to the contents of each file will also be a CECAEFBE file marker that can be used to identify that this file was encrypted by Ako. This file marker can be seen in the hex editor of an encrypted file. During the encryption process, Ako will use the GetAdaptersInfo function to get a list of network adapters and their associated IP addresses. The ransom will then perform a ping scan of any local networks using the IcmpSendEcho function to create a list of responding machines. Any machines that respond, will be checked for network shares to encrypt as well. When the ransomware is finished, the encryption key used to encrypt the victim's files will itself be encrypted and stored in a file named id.key on the victim's Windows desktop. Also on the desktop will be a ransom note named ako-readme.txt. This note contains a URL to access the Ako Tor payment site in order to get payment instructions. This site is located at http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion. Text presented in Ako ransomware's text file ("ako-readme.txt"): Your network have been locked. All your files, documents, photos, databases and other important data are encrypted and have the extension: ******* Backups and shadow copies also encrypted or removed. Any third-party software may damage encrypted data but not recover. From this moment, it will be impossible to use files until they are decrypted. The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recovery your files. To get info (decrypt your files) follow this steps: 1) Download and install Tor Browser: hxxps://www.torproject.org/download/ 2) Open our website in TOR: hxxp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2th cw5gz75qncv7rbhyad.onion/I8VC6PIEQL8JFKHM 3) Paste your ID in form (you can find your ID below) !! ATTENTION !! !! Any third - party software may damage encrypted data but not recover. !! DO NOT MODIFY ENCRYPTED FILES !! DO NOT CHANGE YOUR ID !! DO NOT REMOVE YOUR ID.KEY FILE --- BEGIN PERSONAL ID --- - --- END PERSONAL ID --- Note how the ransom note states that "Your network have been locked" to indicate they are targeting networks and not individual devices. When Lawrence Abrams asked the ransomware developers whether they target both both networks and individual workstations, they told BleepingComputer that they are "Only working on network." Included in the ransom note is a 'Personal ID' that when decoded becomes a JSON formatted object containing the extension, encrypted key, network configuration setting, a subid most likely used for affiliates, and the ransomware's version. The version is currently at .5. When a victim accesses the Tor site, it will said the following: We apologize! Your network have been locked Dont worry! You can return all your files! They will need to enter their personal ID to see the ransom demand and instructions. Text in this page: Your files have been locked! Whats happened? All documents, photos, databases and other important files encrypted How to decrypt files? The only way to decrypt your files is to receive the 2mzWmb-Decryptor Are you ready? We guarantee that you can recover all your files. But you have not so enough time. Buy 2mzWmb-Decryptor Price now: 0.479 BTC (~3800$) You have: 2 days. 14:57:48 If payment isnt made in this time, the cost will be doubled: 0.9576 BTC (~7600$) Buy 2mzWmb-Decryptor Support Chat 1. Create Bitcoin Wallet (we recommend Blockchain.info) 2. Buy necessary amount of Bitcoins - 0.479 BTC 3. Send 0.479 BTC to the address: 1DUBrMcH9T13oFSa59jxtFDM5eWTP8v2yc 4. After payment paste your transaction id in this form. 5. If payment is done - reload current page. TXID Received BTC/USD Date You can buy BTC here coinbase.com bitpanda.com cex.io gemini.com buybitcoinworldwide.com Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan